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Abstract 

We introduce a new type of cryptographic primitive that we call hiding fingerprinting. 

A (quantum) fingerprinting scheme translates a binary string of length n to d (qu)bits, typi- 
cally d <C n, such that given any string y and a fingerprint of x, one can decide with high accuracy 
whether x = y. Classical fingerprinting schemes cannot hide information very well: a classical 
fingerprint of x that guarantees error < e necessarily reveals f2(log(l/e)) bits about x. We call a 
scheme hiding if it reveals o(log(l/e)) bits; accordingly, no classical scheme is hiding. 

For any constant c, we construct two kinds of hiding fingerprinting schemes, both mapping 
x e {0, 1}™ to O(logn) qubits and guaranteeing one-sided error probability at most \/n c . The 
first kind uses pure states and leaks at most 0(1) bits, and the second kind uses mixed states and 
leaks at most l/n c bits, where the "leakage" is bounded via accessible information. The schemes 
are computationally efficient. 

Our mixed-state scheme is optimal, as shown via a generic strategy that extracts l/poly(n) 
bits from any fingerprint over 0(log n) qubits. 

Our results have a communication complexity interpretation. We give quantum protocols for 
the equality problem in the models of one-way communication and simultaneous message passing 
that have communication cost O(logn) and offer hiding guarantees that cannot be matched by 
classical protocols of any cost. 

Some of the technical lemmas in this work might be of independent interest. 

1 Introduction 

Cryptography probably is the area that benefits most from replacing classical computers by quantum 
ones. In particular, the most restricting classical "axiom" of computational cryptography, the one it 
owes its name to, can be partially removed: With quantum protocols it is no longer true that virtually 

any interesting cryptographic protocol can be safe only if computational limitations of a potential 
intruder are assumed. 

The famous quantum key distribution protocol by Bennett and Brassard MBB841 is a good ex- 
ample where the assumption that "an intruder is computationally limited" has been replaced by the 
assumption that quantum mechanics is valid in our physical universe. And if we accept quantum me- 
chanics, it is highly desirable to find more examples of quantum crypto-protocols with unconditional 
security guarantees: Besides pleasing those of us who prefer to keep their secrets for themselves, 
such examples might shed more light on the nature of differences between quantum and classical 
information. 
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Informally speaking, the possibility to use quantum mechanics in order to achieve unconditional 
cryptographic security comes from the fact that, in general, quantum states are not "cloneable" 
(cf. IIWZ821 ). Sometimes it can be very challenging to use this property alone (not making any com- 
putational assumptions) in order to build a cryptographic primitive; moreover, some very tempting 
goals are already known to be beyond the reach (cf. |May97[ ). It is the quest of quantum cryptography 
to understand what crypto-goals can be achieved in a universe where the laws of quantum mechanics 
are valid. 

1.1 Fingerprints and their hiding properties 

In this paper we will give a new example of a quantum crypto-primitive that is not achievable clas- 
sically. We call it hiding fingerprints. Noticeably, hiding fingerprints are impossible classically even 
modulo arbitrarily strong consistent assumptions. 

In the context of this work the meaning of (classical) fingerprints is as follows. Given a binary 
string x of length n, we want to (efficiently) produce its "partial description" by d bits, typically 
with d <C n, such that given only the description of x and any y € {0, l} n , one can test whether 
x = y with high accuracy. This can be achieved classically, for example by using a randomized 
mapping x — > (s, h s (x)), where h s is chosen at random from a 2-universal family of hash functions 
(s identifies h s inside the family). 

Quantum fingerprints have been introduced by Buhrman, Cleve, Watrous and de Wolf in MBCWdWOlll . 
however they were not treated as cryptographic primitives. Generally speaking, an n bits to d qubits 
quantum fingerprinting scheme is a mapping from n-bit binary strings to density matrices in 2 d - 
dimensional complex Hilbert space, such that when p x is the fingerprint of x then given p x and y, one 
can decide with high confidence whether x = y. Obviously, quantum fingerprints are a generalization 
of the classical ones. 

Let £ be a quantum fingerprinting scheme; we will be dealing with the following question. Given 
p x , how much classical information about x can be "extracted" from it? Formally, for any quantum 
measurement P, how large can be the mutual information between a random variable X = x that 
is uniformly distributed over {0, l} n and the outcome of P applied to p x l The supremum of that 
value is called the accessible information of £. In the special case when £ is a classical scheme, its 
accessible information equals the mutual information between X = x and a fingerprint of x that £ 
produces. 

We will say that a fingerprinting scheme is hiding if its accessible information is o(log(l/e)). 
This is the "cryptographic ingredient" that we add to the otherwise known notion of fingerprints. No 
classical fingerprinting scheme can be hiding, as we see next. 

Let collision be the event when a fingerprint of x leads its holder to the conclusion that "x = y", 
even though the two strings are different. Denote by e + the maximum collision probability, taken over 
all pairs x ^ y. Let e_ be the maximum, over all x's, probability that the fingerprint holder declares 

def 

"x 7^ y", even though y = x. Denote e = max {e + , £_}, this is the worst case error probability of 
the fingerprinting scheme. 

Let £ c i a be a classical scheme that guarantees error at most e. What happens when the holder 
of a fingerprint of x loops through all 2" possible values of y and makes his best judgment whether 
x = y? Let A contain those y's where the guess was "x = y", then on the one hand, the expectation 
of \A\ is at most (2 n — l)e + + 1, and on the other hand, x G A with probability at least 1 — e_. 
Therefore, at least (1 — e_) log 2 (l/e+) £ J7(log(l/e)) bits are leaked about x by its fingerprint in 
£ c ia (unless e = 0, in which case n bits are leaked). Accordingly, £ c i a is not hiding. 
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The same reasoning does not apply to the case of quantum fingerprinting schemes, where a binary 
string x £ {0, l} n is mapped to a quantum state p x , such that given any y G {0, l} n one can measure 
p x , in order to decide with high accuracy whether x = y. The argument fails because to make a guess 
whether x = y one may be required to perform a quantum measurement, and such measurements 
can, in general, change the state of a quantum fingerprint in an irreversible way. Alternatively, one 
can say that the "looping trick" cannot be used because p x is not necessarily cloneable. 

From the practical point of view, hiding fingerprints shall be used when there is a need for a 
"semi-trusted" agent to be able to perform string recognition, but not to share with others the ability 
to recognize the target. Putting it differently, hiding fingerprints allow to issue an "authorization" to 
perform certain pattern recognition limited number of times. 

1.2 Our results 

We construct new quantum fingerprinting schemes that hide information about x in a way that cannot 
be achieved classically. For any constant c, we construct two different schemes, both mapping x 6 
{0, l} n to O(logn) qubits and guaranteeing error probability at most l/n c when x ^ y and no 
error when x = y. The first scheme uses pure states and guarantees leaking of at most 0(1) bits; 
the second scheme uses mixed states and guarantees leaking of at most l/n c bits. As follows from 
the previous argument, these results introduce a new type of cryptographic primitives that cannot be 
achieved classically. 

Our schemes are computationally efficient. Constructions themselves are probabilistic: A de- 
scription of a scheme includes polynomial number of random bits, and using uniformly chosen bits 
results in a good construction with all but exponentially small probability. This random string can be 
viewed as a part of the scheme's definition, in particular it does not have to be kept in secret (e.g., it 
may be standardized to define a globally used scheme)Q 

The "hiding guarantees" of our mixed-state schemes are optimalU To demonstrate that we con- 
struct a generic strategy for extracting information from arbitrary quantum fingerprints. This "no-go" 
result remains valid for several weaker notions of fingerprinting schemes than what we construct (e.g., 
for schemes with two-sided error; see Section |4]for more). 

More formally, our main results are (cf. Theorems 13.131 and 14 . 5 1 > : 

Theorem 1.1. For any constant c there exist quantum fingerprinting schemes that 

• map n-bit strings to mixed states of O (log n) qubits and whose error probability and accessible 
information are both bounded by 1 /n c ; 

• map n-bit strings to pure states ofO(log n) qubits, whose error probability is bounded by l/n c 
and accessible information is 0(1). 

The schemes are computationally efficient and have one-sided error with e_ = (answers "x ^ y" 
are always true). 

Any quantum fingerprinting scheme that uses d qubits and guarantees error below 1/2 — 0(1) 
has accessible information 2~°W, 

'This is conceptually different from the role of randomness in any (nontrivial) classical fingerprinting scheme that 
inevitably depends on the assumption that the input strings x and y are chosen independently from the random seed used 
to build a fingerprint of x. 

2 Our optimality argument can probably be tuned to show that our pure-state construction is also optimal. We have not 
pursued that direction, since the mixed-state schemes are a natural generalization of the pure-state ones, and therefore the 
interest of showing optimality of a pure-state construction within its own class would be limited. 
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To the best of our knowledge, hiding fingerprints cannot be obtained via classical reduction to 
any previously known quantum cryptographic primitive. 

Some of our technical contributions might be of independent interest. 

1.2.1 Communication complexity perspective 

The notion of quantum fingerprints has been introduced in MBCWdWOll mainly in the context of 
communication complexity. The main conceptual contribution of the present work is to view quantum 
fingerprints as a cryptographic primitive. Nevertheless, our results can be interpreted in the language 
of communication complexity, as follows. 

The most common communication complexity scenario is the one where two players, Alice and 
Bob, receive two parts of input, x and y, respectively. The players communicate in order to compute 
the value of certain function f(x,y), trying to minimize the amount of communication. Various 
models exist that define the constraints that Alice and Bob have to obey when they compute f(x, y). 
Relevant to us are the following two: 

• One-way communication is a model where Alice sends a single message to Bob, who has to 
give an answer based on that message and his input y. 

• Simultaneous Message Passing (SMP) is a model involving a third participant, a referee. Here 
both Alice and Bob send one message each to the referee, who has to give an answer based on 
the received messagesJl 

In both the cases the players are computationally unlimited, and the cost of a communication protocol 
equals the total number of sent bits. Quantum analogues of the models can be defined, where players 
send qubits and locally perform arbitrary unitary transformations. 

One of the most basic communication problems corresponds to the equality predicate, where the 
goal of the players is to decide whether x = y. In general, fingerprinting schemes can be naturally 
viewed as solutions to the equality problem, as follows^ 

In the model of SMP , Alice and Bob both send the fingerprints of, respectively, x and y to the 
referee. Then the referee performs the swap test that would always return "equal" if x = y and would 
have positive constant probability of returning "not equal" if x ^ y. Thus, he can answer whether 
x = y with one-sided constant error. 

If such a protocol is based on our pure-state hiding fingerprinting scheme then its cost is 0(log n). 
It follows from the hiding guarantees of our schemes that this protocol is also hiding: an "eavesdrop- 
per" can learn at most O(l) bits of information about the input (x, y). 

On the other hand, as shown by Newman and Szegedy [NS96], the classical SMP-complexity 
of checking equality with constant error probability is Q(^/n). Their argument readily implies that 
any classical protocol leaks at least £l(^/n) bits about the input. Moreover, this holds for classical 
protocols of any cost! 

In the model of one-way communication, our mixed-state hiding fingerprinting scheme translates 
trivially to a protocol of cost O(log n) that solves the equality problem with error at most 1/ poly and 
leaks at most 1 / poly bits about the input. On the other hand, our classical impossibility argument 
implies that any classical protocol that solves the equality problem with error e necessarily leaks 
f2(log(l/e)) bits about the input, and this is true for protocols of any cost. 

3 We consider the version of SMP without shared randomness. 

4 This was used in |BCWdW01] to demonstrate exponential separation between the quantum and the classical versions 
of the SMP model. 
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2 Preliminaries and more 



Here we state only those technical lemmas that are relevant for the first part of the paper (construction 
and analysis of the new fingerprinting schemes). Lemmas that will be used only in the second part of 
the paper (showing optimality of our schemes) will be stated is Section |4~T1 

We write exp(x) and sg(x) to denote e x and (— l) x , respectively. We write log to denote the 
natural logarithm and log 2 for the logarithm to the base 2. We denote i = \J —\ (to be distinguished 
from the variable i). 

We let N = {1,2,...,} and [i] = {1,2,..., i}. We often implicitly assume the natural corre- 
spondence between the elements of [2 n ] and those of {0, l} n . For any finite set A we let Ua denote 
the uniform probability distribution over the elements of A. 

We use o to denote concatenation of strings. For any set A and x € A n we will write xi to address 

the i'th position of x; more generally, a^...^ = f x^ o • • • oxi k for (ii, . . . , iu) G [n] k . For two strings 

def 

x and y of the same length, we will let dn(x, y) = \{i \ x^ / yi}\ stand for the Hamming distance. 
For D G N, we write Jrj to denote the identity operator over C D . For a D x D matrix X, 

we denote the trace norm of X by ||X||i = tr (y/ X*X^j , and the operator norm of X by ||X|| = 

max{|Xu| | \v\ = 1}. 

We will mostly use Dirac's "bra-ket" notation for pure quantum states, but sometimes we will 
find it convenient to switch to the standard notation (e.g., both v and \v) will be used to denote the 
same unit vector in a Hilbert space). We will be addressing mixed states via their density matrices, 
and denote by Den[D] the subset of C DxD corresponding to density matrices. 



2.1 Random variables and their concentration 



The Hoeffding bound will be one of our basic tools, we will use it in the following form (Theorem 2.5 
in HMcD98ll ): 

Lemma 2.1. (Hoeffding bound) Let the random variables X±, . . . ,X n be mutually independent, 
satisfying E [X] i = \ii and cii < Xi < hi for some constants a,i and hi for all i. Then for any t > 0, 



< 2exp 



-2t 2 



The following lemma can be viewed as a generalization of the Hoeffding bound to the case of 
random variables taking values in c|l 

Lemma 2.2. Let the random variables X\ , . . . , X n take values in C and be mutually independent, 
satisfying E = and \Xi\ < Cifor some constants Cifor all i. Then for any t > 0, 



Pr 



[IE 



XA > t 



< 4exp 



Proof. By the Hoeffding bound (Lemma |2~TT) . for any u > 



Pr 



Xi)>u 



Pr 



[*(£■ 



Xi)>u 



< 2exp 



5 We view C as a vector space isometric to R 2 . For the general case of random variables taking values in an Euclidean 
space there are known "dimension-independent" bounds. We do not use one of those, instead we state Lemma [Z2l whose 
proof is "dimension-dependent" but the final expression is more convenient for our purposes. 
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As | £ Xi\ > t implies that either 3?(X) > ^JWfior 3f(X) -X<) > V / * 2 72> the result follows. 



The next statement will be very convenient for proving upper bounds on expected values of ran- 
dom variables. 

Lemma 2.3. Let f be a monotone non-decreasing function taking non-negative values, and let Y 



and Y be random variables satisfying Pr 



Y>y 



> Pr [Y > y] for every y such that f(y) > 0. If 



E 



f(Y) 



< oo then E 



/OH >E[/(y)]. 



Hpf ~ Hpf ~ 

Proof Let Z = f(Y) and Z = f(Y). Then Z > and for every z > it holds that 



Pr 



Z > z 



> Pr [Z > z\. 



Therefore, 



as required. 



B[Z] 



Pr \Z > z]dz < 



poo 








/ Pr 


Z >z 


dz = B 


Z 


Jo 









Our next goal is to prove yet another generalization of the Hoeffding bound. We will use a 
modification of the standard method for proving such bounds, namely the "Bernstein's trick". The 
next lemma is the main technical ingredient for that. 

Lemma 2.4. Let Y be a random variable satisfying E [Y] = 0, Y > aandPr [Y > y] < /3exp(— a(y- 
a)) for all y > a and some constants a < 0, (3 > 1 and a > 0. Then for every h £ (0, a/2] and 
cG (0,2], " 



E [exp(hY)} < c + exp 



"log?) 2 

n < exp 



V 



2a 2 



c + 



\ 



2d 1 



Proof. Denote by Ef, the event that (Y < b), were b > a + is a constant, and let If, be the 
Boolean indicator of E^. Then 



E [exp(hY)} =E[h- exp(hY)} + E [(1 - h) ■ exp(hY)]. 



(1) 



Let Y\ be a random variable distributed as Y modulo Et,. Then E [h • exp(hY)] < E [exp(/iY"i)], 
E [Y\] < E [Y] = 0, and a < Y\ < b. A standard result from the theory of concentration bounds 
(e.g., see Lemma 2.6 in HMcD9810 implies that 



E [exp(/iYi)] < exp 



Let Y% be a random variable satisfying Pr [Y2 > y] = /3exp(— a(y — a)) for all y > b. Then 
Lemma |2~31 implies that 



/•oo 

E [(1 - h) ■ exp(hY)] < E [(1 - h) exp(hF 2 )] = / exp(hy) ■ Paexp(-a{y - a)) 

Jb 



dy 



a 



"OO rOO 

exp((h -a)(y - a)) dy < (3a exp(-^(y - a)) dy. 
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From (Q]>, 



E [exp(hY)) < exp 



(b - af 



(b-a) 



a 



h + /3a / exp(— — (y — a)) dy 



= exp 

This holds for every b > a + therefore 



a 



/i 2 + 2/3exp( (6 -a)). 



E [exp(/iY)] < min | exp (y^) + 2/3 exp(-^V)) 



&/> log^ 



Let c G (0, 2] be any, and choose b' = \ log ^. Then 2/3 exp(-f b') = c and 



'b' 2 

E [exp(/iY)] < exp ( — h 2 ) + c = exp 



/^log^ 2 



2a 2 



-/i 2 + c, 



which is the first inequality stated in the lemma. Finally, 

,2 



Mog 2 ^ 2 



2a 2 

as log(l + c) < c for c > 0. 





f 




1 ( 


< (1 + c) exp 




2ft 2 


< exp 








V 



c + 



log 



2rf 



2a 2 



We are ready to prove a new concentration bound, that can be viewed as a "less demanding" 
analogue of the Hoeffding bound. 

Theorem 2.5. Let the random variables X±, . . . , X n be mutually independent, satisfying E [X] i = [i, 
Xi > a and Pr [JQ > x\ < /3exp(— a(x — a)) for all x > a, i G [n] and some constants a < 0, 

ft > and /3 > 1. Lef S n = Yl Xifor i G [n]. Then for every t G (0, -M, 



Pr 



< exp 



nt 2 a 2 



V 



244 log 



-5 n > n + t 

n 

Proof By Lemma|2T4l for any /i G (0, a/2] and c G (0, 2] 

E [exp (/i(5 n - npS))] = E [exp (/ipQ -//))] < exp 
By Markov's inequality, 

Pr [S n > nfi + nt] < exp(—hnt) E [exp (h(S n — rifj,))] < exp 



tct 



I 



nc + 



V 



n [ log ^£ 



nc + 



n I log 



2d 



2ft 2 



-h 2 -hnt\ . 
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Let 



co 



def t 2 a 2 



2 and ho = 

122 (logi) (logf 



def t« 



2 ' 



From ta < |, it holds that < co < 1 and < /io < a/2. Thus we may substitute h 
c = cq, still satisfying the requirements of Lemma 12.41 So, 



ho and 



Pr 



> n + t 

n 



( 



< exp 



nt 2 a 2 



nc 



\ 2 (tog 



co 
2 



It can be seen^that ta < y and /3 > 1 imply cq < t 2 a 2 / 4 (log , and therefore 



Pr 



1 



-S n >fi + t 



nc \ 

< ex P ( J = ex P 



nt 2 a 2 



( 



y 244 (Jog 



/Q 



2 ' 



as required. 



2.2 e-nets for pure states 

In our proof we will need a "continuous analogue" of the union bound: Namely, for every D G N 
we want to have some sufficiently large T, such that if certain event E(v) holds with probability at 
most 5 for any fixed vector v G C D , then with probability at least 1 — T5 there is no v' G C D such 
that -E(V) holds. Of course, in general that is not possible for infinite domains like C D ; however, 
the situation can be helped if there exists a "relaxed" version of E, that we denote by E' , such that if 
E(v) holds and d(v, w) < e, where d(-, •) is a measure of distance between vectors in C D and e is 
sufficiently small, then E'(w) must also hold. 

Fix e and let W e = {w\, . . . , wt} be a finite set of vectors from C D , such that for every v G C D 
there exists some Wi G W e satisfying d(v,Wi) < e (such sets are commonly called e-nets). Assume 
that for any fixed v G C D the probability that E'(v) holds is at most 5. Then, by the union bound, the 
probability that E'(w) holds for some w G W £ is at most T5. Now, if E(v ) holds for some v G C D , 
then E'{w) holds for at least one w G W £ , as the set contains an element at distance at most e from 
v. Therefore, the probability that E(v) holds for some v G C D is at most T5. 

The notion of distance between vectors can be formalized in many different ways, depending on 
the nature of E and E' . The following definition serves our future goals. 

Definition 1. For e > 0, we call a set M C C D of unit vectors an e-net for the set of pure states 
in C D with respect to the trace distance, if for every unit vector \ u) G C D there exists \v) G M, such 
that \\\u)(u\ — I^X^IIIi < e - 

The following lemma is a slight improvement over Lemma II.4 of IIHLSW041 and Lemma 4 of 
llBHL+051 . where the upper bound on the size of the e-net was (5/e) . 

6 Let x = ta and f(x, /3) = c / f2 °f ' ^ , then modulo x G (0, i] and /3 > 1 it is always true that ^ < 0. Let 

/ 4 ( log 4) 

/'(a) = /(x, 1), then £ > and therefore /(a;, 0) < /(i, 1) < 1. 
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Lemma 2.6. For every < e < 2, there exists an e-net for the set of pure states in C with respect 
to the trace distance whose size is at most (4/e) 2 ( D_1 ). 

The proof of the lemma is given in the appendix. 

3 New quantum fingerprinting schemes and their properties 

We will use the standard way to construct a (pure-state) quantum fingerprinting scheme based on a 
classical error-correcting code. Namely, given a code C from n to 2 d bits, we will define, for every 
a G {0, l} n , its fingerprint on d qubits via \u a ) = J2ie[2 d ] s s{h) where b = (&i, . . . , b 2 d) = 
C(a). 

It would be very convenient for us to use a perfectly random code C ; however we cannot afford 
that as we want our construction to be computationally efficient. On the other hand, we can get an 
efficient construction by using a random linear C, however it turns out that such code would not be 
"random enough" for our needs (we need more randomness to guarantee that a scheme is hiding)!] So, 
we define a new type of classical codes that still admit efficient encoding but contain more randomness 
than random linear codes. 

3.1 Random quasi-linear codes 

In the following definition we use 2 d to denote the codewords' length in order to make the notation 
more consistent throughout the paper. 

Definition 2. Let r, n, d G N, r < n < 2 d . An (n, r, 2 d ) -quasi-linear code C is represented by an 
2 d -tuple of (n — r)-bit vectors (ci, . . . , c 2 <i) and a 2 r -tuple of2 d -bit vectors (di, . . . , c?2 r )- Lor every 
a G {0, l} n we denote == a\i r , = f a| r +i,...,n> an d define 

c^^d^e^a^)) 2 ^, 

where © denotes bit-wise xor. 

In other words, (d\, . . . , c?2 r ) is an arbitrary code applied to the first r bits of a and (ci, . . . , c 2 d) 
defines a linear code that is applied to the last (n — r) bits; the actual encoding of a is the xor of the 
two codewords. 

For the rest of the paper we will write and to address, respectively, sc|i r and x| r + 1 n , 
when n, r and x € {0, 1}™ are clear from the context. 

Obviously, C(a) can be computed efficiently when r G O(logn) and d G O(log(n)). We call a 
quasi-linear code (uniformly) random if both (ci, . . . , c 2 d) and (d\, . . . , dyr) are selected uniformly at 
random. We will denote this distribution by Uc and write C ~ Uc to say that C is chosen uniformly 
at random (the values of the parameters n, r and d will be clear from the context). Note that efficient 
description of such code is possible as long as r G 0(log n) and d G 0(log(n)). 

The following property of random quasi-linear codes can be viewed as a generalization of the 

notion of minimal distance. Denote 7c == max { \du (C(ai), C(aq)) — 2 d ~ 1 1 | a\ 7^ 02}. Then 

7 Note that in the context of quantum fingerprinting there is no need to ever decode the underlying classical code, that is 
why using a random linear code would be computationally feasible, despite the fact that no efficient decoding is known to 
exist for such codes. 
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Lemma 3.1. For every t > 0, Prc~u c [lc > t] < 2 exp I n + r — 4^- 



Proof. Define A c = {C(ai) © C(a 2 ) | ai / a 2 }. Observe that i c = 5i © 5 2 U 5i U .62, where 
© is element-wise, i?i = {d ai ® d a2 | ai, a 2 G {0, l} r ; ai / a 2 } and 

B 2 = {« Cj , 01 a 2 ))^ I ai,a 2 G {0, l}"" r ; a x ± a 2 } = { {(a, a))^ | ^ a G {0, l} n " r } . 

Direct counting reveals that |Ac| < 2 n+r . 

It is easy to see that for every a\ 7^ a 2 the string C(a\) © C(a 2 ) is chosen uniformly at random 
from {0, l} 2 when C ~ lie- By the Hoeffding bound (Lemma [27Tb . for every t > 

-2t 2 ' 



Pr 



yi-1 



d H (C( ai ),C(a 2 ))- 
and the union bound implies the statement of the lemma 



> t 



< 2 exp 



2 d 



3.2 Pure-state scheme 

For the rest of the paper we assume that d G 0(log n) and that r G 0(log n). 

First, we define and analyze our fingerprinting scheme that uses pure states. Afterwords (Sec- 
tion [33]) we will consider a mixed-state scheme that can be viewed as a generalization. 

Definition 3. Let C be an (re, r, 2 d ) -quasi-linear code, we denote by £9 ure the following fingerprinting 
scheme. Every a G {0, l} n is mapped to 



1 

2^/2 



2 sg( 

;e[2d] 



where b = (pi, ... , 6 2 d) = C(a). We calf |ii a ) the fingerprint of a. 
Given |u ai ) and any a 2 G {0, l} n , in order to check whether a± 
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ai , 



w.r.t. the projective measurement {P a2 ,I 2 d — -P a2 }> where P c 



(12 



u, 



a 2 one should measure 
If the outcome 



1-12 I 



^0,2 I • 



corresponds to P a2 then "a± = o 2 " shall be returned, otherwise the guess should be "ai / a 2 ". 

Note that the transformation o — > \u a ) can be computed efficiently as long as C{a) is easy 
to compute for every a, and that the required projective measurement can be performed efficiently 
because d G 0(log(n)) and \u a2 ) is known. 

Intuitively, the fingerprints corresponding to different pre-images should be nearly orthogonal. 
This is formalized by the following lemma. 

Lemma 3.2. For {\u a } | a G {0, l} n } defined over a randomly chosen (re, r, 2 d )-quasi-linear code 
C, for any 5 > it holds that max {\(u ai \u a2 )\ | a\ 7^ a 2 } < 5 with probability at least 1 — 2 exp(re+ 



)■ 



Proof. 



K«aiK 2 )| 



1 



«e[2 d 



sg(6ij + b 2i ) 



t d H (h,b 2 ) 
' 2 d 



< 



2ic 
2 d ■> 



where b\ = C(a\) and b 2 = C(a 2 ). By Lemma [37T1 

'2 1C 



Pr 



2 rf 



> 5 



< 2 exp (n + r - 5 z 2 a 



as required. 
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Now let us see that £p Ure is likely to be a valid fingerprinting scheme. 

Lemma 3.3. For £p Ure defined over a randomly chosen (n, r, 2 d )-quasi-linear code C, it holds that 
e_ = always and that e + < 5 with probability at least 1 — 2 exp in + r — 2 d ~ l 5),for any 5 > 0. 

Proof. Clearly, when a\ = a2 the answer is always correct, that is e_ = 0. When, on the other hand, 
a\ ^ a,2 the probability of the wrong answer is |(u ai |ii a2 )| 2 , and therefore by Lemma [3721 e + < 5 
with probability at least 1 — 2 exp(n + r — 2 d ~ l 5), as required. ■ 



Our next goal is to show that £p Ure defined over a randomly chosen quasi-linear code C is hiding 
with high probability. This will be done in stages. 

Let us denote for every a G {0, l} n : p a == |u a X"Ua|> p' a *= 2 d ~ n Pa, and for arbitrary v G C 2<i , 

p v (a) = (v\ p' a \v). 

We will see later (Lemma 13.81 ) that for almost all choices of C we have ^2 a p' a = l2<i, and 
therefore p v (a) is a probability distribution over a G {0, l} n for every fixed unit vector v. Intuitively, 
this distribution corresponds to the "view about a" of a holder of p a who has measured it and got the 
outcome \vXv\. Therefore, if originally a was chosen uniformly then some sort of distance between 
p v and ^/{o,i} n should tell us how much has been learnt about a as a result of the measurement. 

The following technical statement is the key part of our upper bound on the accessible information 
for f c 

1U1 ° pure- 

Lemma 3.4. Let v G C 2<i be a unit vector and ciq G {0, l} n be fixed, and assume that £p ure is defined 
over an (n, r, 2 d )-quasi-linear code C, then 

23 

E [max{0,^(ao)log(2 n ^(a ))}] < — . 
C~U C 2 n 

In the view of the intuition expressed above, it shouldn't be surprising that we want to prove this 
kind of statement. Indeed, if p v is a probability distribution then ^ p v {o) log (2 n p v (ao)) is the 
relative entropy between p v and ^/{o,i} n - 



Proof. Let 



a def 



E 

i£[2 d ] 



then p v (ao) 



Pr 

c 



Pv(ao) > 



. a o 

-#r and for every t > 0, 
t 



2" 



Pr K° > t] 



Pr 



'{-1,1} u 



> sft 



< 4 exp 



(2) 



where the inequality follows from Lemma 12721 and the fact that ||u|| = 1. 



def 



Define g(x) = max {0, x log(x)} and let p be a random variable whose distribution satisfies 



def 



Pr [p>t]= 4exp(-t/4) = f(t) for t > 8 log 2. Then 

E[max{0,/i„(a )log(2 n /i t; (ao))}] < ^B[g(2 n p v (a ))} < — E [<?(£)], 



where the first inequality follows from the definition of g(-) and the second one is by Lemma 
(whose requirements are implied by Q and g's definition). 
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Finally, 



f°° ( df\ f°° 

E [g(jj)] = / x\og(x) I — — J dx = / exp(logx + log log x — x/4) dx < 23, 

^8 log 2 V dx J 78 log 2 

as required. ■ 

At this point we suspend our analysis of £p Ure and turn to a mixed-state scheme £ . Analysis 
of £y Ure will be resumed and merged with that of £^ ix in Section 



'pure 

™i of £ mt 
3.3 Mixed-state scheme 

To define our mixed-state scheme we introduce another parameter k G N U {0}, such that 2 k is the 
rank of every fingerprint (i.e., k = corresponds to a pure-state scheme). It will always be assumed, 
often implicitly, that d > k and r > k (the second assumption is probably less obvious, we need it 
for technical reasons). 

Definition 4. Let C be an (n + k,r, 2 d ) -quasi-linear code, where d > k and r > k. We denote by 
^mix the following fingerprinting scheme. For every x G {0, l} n+fe we let 



where b = (b\, . . . , b 2 d) = C{x). Every a € {0, l} n is mapped to 

1 

2 1 " 



k 



iG{0,l} 

We caii p a the fingerprint of a. 

Given p ai and any a 2 G {0, l} n , in order to check whether a\ = a 2 one should measure p ai 
w.r.t. the POVM measurement {P a2 ,I 2 d — P a2 }' where P a2 is the projection to the subspace ofM 2 
that is spanned by juioa 2 | i £ {0, If the outcome corresponds to P a2 then "ai = a 2 " shall be 
returned, otherwise the guess should be "a\ ^ a 2 ". 

Note that when k = the above definition gives £p Ure , and the notions of \u a ) and p a coincide 
with those considered in Section 13^21 To construct p a , the holder of a tosses i ~ ^k, produces 
\uioa\ui oa \ and then erases i. The measurement {P a , I 2 d — P a } can also be performed efficiently (as 
any explicit measurement on O(logn) qubits), the simplest way to do so is to represent the measure- 
ment as a projection in C 2<i+1 (recall that d G 0(log(n))) and perform that, using an auxiliary space 
of dimension 2 d . 

To see that £^ ix is a valid fingerprinting scheme with high probability, we will use Lemma 13.21 
together with the following technical lemma. 

Lemma 3.5. For < i < 2 r , let M be any mapping from an i-tuple of unit vectors in M. 2d to a 
unit vector in M 2 . Then for any s G {0, l} n ~ r , 5 > 0, and {\u a ) | a G {0, 1}"} defined over a 
randomly chosen (n,r,2 d )-quasi-linear code C, it holds that \(M(uq os , . . . ,«(i_i) s)| u ios)| < $ 
with probability at least 1 — 2 exp(— 5 2 2 d ~ 1 ). 
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Proof. Note that by the construction of quasi-linear codes, \ui OS ) is a uniformly random element of 

{2~ d/2 Yjk \k) | Pi, ■ ■ ■ ,/3 2 d G {-1, 1}}, even if conditioned upon v = M(uq os , . . .,u {i _ 1)os ). 
So, 



Pr [\(M(u 0os 



,U(i-X)os)\ u ios)\ < S) = Pr 







_ fce[2 d ] 





> l-2exp(-2 d - 1 5 2 ), 



where the inequality follows from the Hoeffding bound (Lemma |2~TI ) and the fact that \\v \\ = 1. ■ 

Let us see that £^ ix is likely to be a valid fingerprinting scheme. 

Lemma 3.6. For £^ ix defined over a randomly chosen (re + k, r, 2 d )-quasi-linear code C, it holds 
that e_ = with certainty and e+ < 5 with probability higher than 1 — 3 exp(n + r + k — 5 2 2 d ~ 4:k ~ 7 ), 
for any 5 > 0. 

Proof. Clearly, when a± = a.2 the answer is always correct, that is e_ = 0. 

When, on the other hand, at / 02, the probability of the wrong answer is tr(P a2 p ai ). Let 

def 

p 'a 2 = Ylie{ ,i} k u ioa 2 u* oa2 ; we will see that, with high probability over C ~ U c , both tv{P' a2 p ai ) 
and |tr((P a2 - P' a2 )p ai )\ are small. 



tr(P> ai ) 



E 



tr (u ioa2 u* oa2 p ai ) < 2 5 2 c 



(3) 



i£{0,ir 



where 5c* == max { li^re^ | | x\ 7^ £2}- 

Observe that P a2 = J2ie{o i} k ViV h where u/s are "orthonormalized ui oa2 's", as follows 



/ def / def 

Vq = VQ = U 0oa2 ; V i = U ioa2 



yivjVjUioaz; 



def / , I /1 

1 = vj IvA 



def 



Let Aj = ^ - u ioa2 , then 



i-l 



and 



|Aj| < |-u ioa2 - n-| + |nj - n-| < 2^ \v*u ioa2 \ < 2 k max{\v*u ioa2 \}, 

3=0 3 

\tT{(P a2 -P' a2 ) Pai )\ < \\Pa 2 -P' a2 \\ 

< II ( Uioa ? + Ai ^ U ioa 2 + A *) - { U i°a 2 U* oa2 ) 
i€{0,l} fc 

< 3 • 2 fc max{|Ai|} < 3 ■ 2 2k max {| 



(4) 



Vj Uioa 2 I } ■ 



IS 



0<i<i<2 fe 

Now we apply Lemma 13.51 where M is the mapping that, according to our orthonormalization 

process, maps (ttfcoa 2 )i=o to Vj. For fixed a 2 and j < i, the lemma guarantees that 3 ■ 2 2k 

less than 5/2 with probability at least 1 — 2 exp(— 5 2 2 d ~ Ak ~ 3 /9). By the union bound, the right-hand 
side of © is less than 5/2 with probability at least 1 - 2 2k exp(-<5 2 2 d " 4fc " 3 /9) > 1 - exp(2A; - 
5 2 2 d ~ ik ~ 7 ). Another application of the union bound implies that the same holds for every 02 with 
probability higher than 1 — exp(re + 2k — 5 2 2 d ~ Ak ~ 7 ). 
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By Lemma IH1 it holds that the right-hand side of © is less than 5/2 (i.e., 2 k b 2 c < 6/2) with 
probability at least 1 — 2 exp(n + r + k — 52 d ~ k ). Therefore, tr(P a2 p ai ) < 5 for every a\ ^ 02 with 
probability higher than 1 — 3 exp(n + r + k — 5 2 2 d ~ ik ~ 7 ), as required. ■ 

Our next step is a statement analogous to Lemma [3~4l that would apply to £^ ix . As before, we let 
p' a = 2 d ~ n p a and p v (a) = (v\ p' a \ v) for arbitrary v G C 2<i . 

Lemma 3.7. Let v G C 2d be a unit vector and ao G {0, l} n be fixed, and assume that £^ ix is defined 
over an (n + k, r, 2 d )-quasi-linear code C, where 2 k G o;(logn) and d G 0(log(n)). Then 

for every A > 0. 

We will follow in the footsteps of our proof of Lemma l3T4l however we will have to use somewhat 
"heavier" concentration tools. 

Proof. For every j G {0, l} k , let 



def 



^2 sg 1 

ie[2 d ] 



.(2) 



where x = j o a. Then p v (a ) = ^ E je{0 ,i} fc 
For every j, 



C~Uc 



E 

/3i,.-->/3 2 d~ w {-i,i} 



and E [//„(ao)] = l/2 n . Moreover, as we've seen in the proof of Lemma [3~4l from Lemma I2T21 and 
from ||t;|| = 1 it follows that that for every t > 0, Pr [oj%°(j) >t]< 4exp(— 1/4). Therefore, by 
Theorem E3] it holds that 



Pr 

c 



1+t 



k+2 



< 



-2 K t 



exp 



def 



3904 (logf f t 



fit) 



for < t < 4/7. Besides, it holds that < < 2 d . 

def 

As before, we define g(x) = max {0, x log(x)} and let ft be a new random variable that will re- 
place p v (ao) in further analysis. We define the distribution of ft by demanding that Pr [ft, > 1 + 1] = 
f(t) for < t < 4/7 and Pr [ft = 2 d ~\ = /(4/7). The requirements of Lemma l2.3l are satisfied by 
g(-), p and ft, and therefore 



E [max {0,^,(00) log (2^(00))}] < — ~E[g(ft)]- 



By the definition, 

E [g(ft)] = J*'\l + x) log(l + x) f-^j dx + 2 d d • /(4/7). 
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Clearly, /(4/7) G exp(-ft(2 fc )) and (1 + x) log(l + s) (-£) < 2 k x 2 f(x). For every A > there 
exists A x > 0, such that f(x) < exp (-^ A 2 fc 3; 2+A ) for < x < 4/7. So, 



E < J 2 k x 2 exp (- A A 2 fc x 2+A ) dx + exp (d + log d - 9, (V 

< • r (^r) + ex P (d - nh k )), 

where F(a) == / °° x a_1 exp(— x) dx is the Gamma-function. Therefore for 2 k G cj(logn) and every 
A > 0, 

Eb(^)]<0 / 

as required. 



3.4 Further security analysis of £^ ure and £% ix 

Based on Lemmas 13.41 and 13/71 we continue our analysis of £p Ure and £^ ix . From this point on and 
unless stated otherwise, we view the former as a special case of the latter, corresponding to k = 0. 
First, as promised earlier, we prove that for almost all quasi-linear codes C, we have ^ a p' a = I 2 d. 

Lemma 3.8. If C is an (n + k,r, 2 d ) -quasi-linear code such that the vectors c\ , . . . , c 2 d are all 
distinct, then ^ a p' a = I 2 d. In particular, if an (n + k, r, 2 d )-quasi-linear code C is chosen uniformly 
at random, then ^ a p' a = I 2 d with probability at least 1 — 2 2d+r ~ n ~ k . 

Proof. If ci , . . . , c 2 d are all distinct, then 

J2 p ' a = 2 d-n-k \U X )(U X \ 

a xe{0,l} n+fc 

= 2-"-^5] S g(fe ) ) i ©K (1) ) J ) l^sg^ec,,^ 2 )) ) m = i 2d , 

xW i,3 \x(V J 

where G {0, l} r , x( 2 ) G {0, l} n + k ~ r , and i, j G [2 d ]. 

Now let C ~ U c . For any fixed distinct i and j, q equals cj with probability 2 r ~ n ~ k . By the 
union bound, the probability that all Cj 's are distinct is at least 



2< 



n— fc ^ n2d+r— n— k 



1-1-1- 2 r ~ n ~ K < 2 

as desired. ■ 

Next we will argue that Xlae{o i} n ( a ) 1°8 {2 n Pv{o)) is unlikely to be large when C ~ Z^c 1 . 

Lemma 3.9. Let v G C 2d Z?e a unit vector and assume that C is a uniformly random (n + k,r,2 d )- 
quasi-linear code, then for every 5 > 



Pr 

r 



^ /^(a) log (2 n /i„(a)) > a k + 5 

ae{0,l} n 



< exp n - 2 r '- k - 2d 



w/iere a < 23, and a fc G 0(l/2 k ^/ 2 ~ x ^) for 2 k G w(logn) and any A > 0. 
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Proof. We will use concentration bounds in conjunction with the mean guarantees of Lemmas 
and 13771 

Define new random variables 

def 

£t(a) = max{0,/i„(a)log(2 T V 1J (a))}, 

then < /2(a) < 2 d ~ n d. From Lemmas E~4] and EH we know that Ec* [/2(a)] < 23/2 n for fc = and 
every A > 0, and Ec [/2(a)] G 0(l/2 ri+fc ( 1 / 2 - A )) for 2 k G w(logn). 

We want to bound the probability that Y^ a A( a ) > S. Let t = r — k, assume w.l.g. that t > and 
define 

4 = {i°i|j€{0,l}*} 

for every i G {0, 1}" _ *. Observe that for every £q G {0, l} n the random values (^C(a)j ae A io are 

distributed identically and independently when C ~ Uc, and the same is true for f/2(o)JaeAi ■ 
Therefore the Hoeffding bound (Lemma |2~TT ) can be applied, resulting in 



Pr 

V 



o > 



2> + g 

2n-t 



< 2exp 



2 2d d2 



def 

where /ig = Ec* [/2( a )l- Therefore, from the union bound: 



Pr 

u 



^ A(a) > a fc + 5 

ae{0,l}" 



< 2 n " m exp 



-,r-k-2d 




as required. 



As we discussed before, if X^ae{o i} n M«( a ) l°g (2 n /i«(a)) is small for a fixed u, that means that, 
informally, a holder of p a who has measured it and got the outcome \v)(v\ has not learnt much about 
a. 

Our next step will be to argue that, with high probability, ^ae{o l}" /^(a) log (2 n p v (a)) is small 
for every pure state \v) G C 2d . According to the same intuition (which will be formalized soon), that 
would imply that no outcome of a measurement of p a exists, that can tell much about a. 

First we argue that the function \v)(v\ i— > J2 a e{o i} n Mu( a ) 1°S (2 n /i«(a)) has a good continuity 
property (called the "almost Lipschitz continuity") in order to discretize "every pure state \v) G C 2<i " 
in the above argument. 

Lemma 3.10. Let C be an (n + k, r, 2 d )-quasi-linear code, such that ^ a p' a = I 2 d. Let < e < 2/e 
and \ v) and \ w) be unit vectors in C 2 such that \\ \v)(v\ — \w)(w\ ||j < e. Then, 



Vv(a) log(2 n p v (a)) - Y Hw(a) \og{2 n p w {a)) 



< 2 d - 1 elog-. 

£ 



Proof. Fixany a and we will prove \p v {a)\og(2 n d p v (a))—p w (a)\og(2 n d p w (a))\<2 d n 1 e\og(2/e). 
Without loss of generality, we can assume that p v (a) < p w {a). Then, 



Hwip) - p v (a) 



2 d - n tr(p a (\w)(w\-\v)(v\))<2 d - -\\\vw\ 



id— n— 1 



IwX^llli < 2 d ~ n - 1 e. 
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Therefore, 

/^(a)log(2"-%(a)) - ^(a)log(2^V(«)) 

= fi w (a) log(2 n -V(«)) " M«(a) log(2 n - d ^(a)) + AH, (a) log(2 n - V(a)) " M» log(2 n -V(«)) 



(^(a) - /i„(a)) log(2 n >™(a)) + /i„(a) log 1 + 



Mw(«) ~ Mk(q) 
/x„(a) 



Note that (/^(a) - /x„(a)) log(2 n d fi w {a)) < and ^,(a)log(l + (// w (a) - jj, v (a)) / fj, v (a)) > 0. 
Therefore, 



Ma)log(2"-V(a)) - Mu»(a)log(2 n - a ^,(a))| 

- log(2"- V») + M<0 log f 1 + ^( a )~^(°) 



< max<j -(/J, w (a) - /j, v (a)) log (2" d fi w (a)), fi v (a) log ( 1 + 



/i w (q) - /Xg(o) 
/x w (a) - /x„(a) 



/z„(a) 



< 2 d - 1 elo R -. 



< max|-(/i w (a) - /i„(a)) log(2 n (//«,(o) - fj, v (a))),fi v (a 

< max|2 d - n - 1 elog^,2 (i - n - 1 e 

= 2 d - n - 1 elog-. 

e 

By the triangle inequality, we have 

log(2"-V(a)) - ^^(a)log(2 n - d /i»(a)) 

a a 

The left-hand side can be rewritten as 

^^(a)log(2^V(«)) " J>4a)log(2"-Wa)) 

a 

^//„(a)log(2 n /^(a)) - ^^ lu (a)log(2 n /i w (o)) + I ^/i„(a) - ^^(a) J log 2' 

a a \ a a / 

^^,(a)log(2 n ^(o)) -^/^(a)log(2>™(a)) , 

a a 

which completes the proof. ■ 
We are ready to see that with high probability, Yl l°g (2™/^ (a)) is small for every \v). 

Lemma 3.11. Let C be a uniformly random (n + k,r, 2 d )-quasi-linear code. Let 5 > satisfy that 
e 3 / 2 5/4 < 2 d . Then, 



Pr 

c 



3\v) : M«(a)log(2"/i„(a)) > a k + S 

a£{0,l} n 



< exp I 2 d+1 lo 



+ n-2 



r-k-2d 



2d 



where is as in Lemma \3S\ 
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Proof. Let e = 2 2d 3 e 2 S 2 . By the assumption, we have e < 2/e. Then we have 



d | , 2 e«5 e«5 , 2 d+2 eS 1 5 

where the inequality follows from xlog(l/x) < 1/e. By Lemma |2T6l there exists an e-net M for the 
set of 2 a! -dimensional states with respect to the trace distance with size 



\M\ < ( - 



Suppose that the quasi-linear code C is such that there exists a unit vector v such that 

^ /A,(a)log(2 n / u 1) (a)) > a k + 5. 

ae{0,l} n 

Let w e M be a unit vector satisfying |||fX^| — I^X^I Hi < e - By Lemma l3TT0l 

2 S 

tiw(a)log(2 n n w (a)) > Yl ^(a) log(2 n ^(a)) - 2 d - 1 elog- > a k + -. 

ae{0,l}™ ae{0,l}" 

This implies that 



Pr 

c 



3 \v) : ^ /u v (a) log (2"^ (a)) > a fe + <5 

ae{0,l} n 



< Pr 

c 



3\w)eM: Y f^w(a) log (2 n fi w (a)) > a k + - 

a£{0,l} n 



By Lemma I3T91 and union bound, the right-hand side is at most 



|M| exp [n- 2 r 



r-k-2d 



2d 1 ^ l0g 



2J2 



+ n-2 



r-k-2d 



2d 



as required. ■ 

It remains to be seen that small values of ^ ^„(a) log (2 n /i„(a)) for all \ v) € C 2d indeed imply 
good hiding properties of the corresponding fingerprinting scheme. 

Lemma 3.12. Let C be an (n + k,r,2 d )-quasi-linear code such that c\, . . . ,c 2 d are all distinct. 
If a E {0, 1}™ is chosen uniformly at random, then the accessible information of the ensemble (p a ) is 
at most 

max Y Vv(a)log(2 n n v (a)) . 



ae{o,i} n 



Proof. We follow a similar path to that used in a proof in Section 2.2 of Leung HLeu09l| . Since 
the accessible information can be always achieved by a rank-one POVM, let M = {aj \ vj){vj\}j 
be a rank-one POVM achieving the accessible information, where \vj) is a pure state, aj > and 
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OLj = 2 d . If A is the random variable representing the choice of a and J is the random variable 
representing the measurement result of the state under M, then 

/acc = H(J) - H(J | A) 

= ~ Yl ^ log % + S a ifa I ^ a log a J + S a J fa I log fa I ^ a 

j a,j a,j 

j j a,j 



dlog2 + ^E a ^ fa\ Pa fa} log ^'i Pa fa"> 

dlog 2 + 1 ^ a,-2 n - d p' a K) log(2"- d <t,,Va It,,-)) 
^^ / x % .(a)log(2> u .(a)) 



< maxV^(a) log(2 n /z„(a)), 
it;) — ' 

1 ' a 

where the inequality follows from the convexity argument (the convex combination is at most the 
maximum). ■ 

Lemmas [3.3ll3.6[[3^8ll3.11l and l3.12l imply the following theorem: 

Theorem 3.13. For any constant c there exist quantum fingerprinting schemes that 

• map n-bit strings to mixed states over 0(log n) qubits and whose error probability and acces- 
sible information are both bounded by 1/ n c ; 

• map n-bit strings to pure states over O(logn) qubits, whose error probability is bounded by 
l/n c and accessible information is 0(1). 

The schemes are computationally efficient and have one-sided error with e_ = (answers "x ^ y" 
are always true). 

Proof. Let k = [4c lg n] , d = [(18c + 1) lg n] and r = [(60c + 3) lg n] , and let £^ ix be the mixed- 
state fingerprinting scheme defined over a randomly chosen (n + k, r, 2 d ) -quasi-linear code C. By 
Lemma [3T6l the probability that e + > l/n c vanishes as n — > oo. 

The probability that C violates the condition of Lemma l3T8l is negligible, so we assume the oppo- 
site, that allows us to use Lemma l3.12l Applying Lemma [3. Ill with 6 = l/(2n c ) to Lemma l3.12l and 
noting that a k £ 0(l/2 fe / 3 ) C o(l/n c ), we obtain that the accessible information is at most l/n c . 

Choosing k = and adjusting d and r accordingly gives the desired result for £p Ure . ■ 

Note that only polynomial amount of randomness is required in order to describe any of our 
fingerprinting schemes. Moreover, a random string may be published openly without compromising 
the hiding guarantees of the schemes. 
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Mixed-state schemes can be viewed as a natural generalization of pure-state ones. Our mixed-state 
construction achieves much better hiding guarantees (in the following section we argue its optimality), 
but even the pure-state one already reaches beyond the limitations of classical schemes, where we've 
seen (cf. Section [TTTI ) that 0(log(l/e)) bits are leaked by any scheme with error at most e. 

4 Optimality of our schemes 

In this part we construct a generic strategy for extracting information from arbitrary quantum finger- 
prints. We give a strategy that retrieves at least 1/ poly(-D) bits of information about x from a (w.l.g., 
mixed-state) fingerprint of x over log D qubits. 

We note that the following "no-go" argument remains valid for some weaker versions of finger- 
printing than what is guaranteed by Theorem |3.13[ namely: 

• schemes with two-sided error; 

• schemes that only work in average w.r.t. "balanced uniform" input distribution (i.e., (x,y) ~ 



information between the outcome of Py and x is at least 1/ poly(-D). 
4.1 Technical preliminaries 

Optimality of our scheme from Section [3] will follow from several technical lemmas that we state 
next. 

It is well known that the "distinguishability" of two arbitrary quantum states o\ and 02 is deter- 
mined by their trace distance \\ai — ct 2 1 1 1 . Informally speaking, we will show that a randomly chosen 
complete projective measurement distinguishes between o~\ and o~2 only poly(D) times less efficiently 
than a best distinguishing measurement. 

Let Ui denote the uniform distribution of unit vectors in C D . The following is a well-known fact 
about Uf. 

Claim 4.1. Sampling v ~ can be realized via the following algorithm: 

1 Independently sample u\ , . . . , and uj, . . . , uf from the standard normal distribution iV(0, 1). 



We need several technical lemmas. First, let us see that the length of the projection of a randomly 
chosen vector v ~ to any subspace cannot be "too concentrated": 

8 The idea of using randomly chosen projective measurements in order to prove a lower bound on accessible information 
has appeared in |JRW94| . However, our setting and the analysis are different. 





Proof. The density function of u is spherically symmetric. 
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Lemma 4.2. Let A C [D], 1 < \A\ < D. Then for some r\\ £ O ( 'whgD ) an ^V2 £ ^^ D 2 (iogD) i J' 

> m- 



Pr 

V~UP 



J2\ v \ Z-JT + li 



It is easy to see (by linearity of expectation and the fact that \v\ = 1) that E z 



Ea\v 1 



\A\ / D, and therefore the above statement can be viewed as complementary to concentration bounds. 
Proof. In the notation of Claim l4.ll 



Pr 

v~UP 



Pr 



Pr 



Pr 



E 



E 



> 



|A| +£>£ 

D - |A| - De 



(5) 



E^(K) 2 + K) 2 ) ~ D-\A\-De_ 
> Pr [y+ > 2 | A| + 2De] • Pr [y~ < 2D - 2 |A| - 2De] , 



where y + = f ^2 ieA ({u J r ) 2 + ( u l) 2 )> ^~ = E^aCC"^) 2 + ( n i) 2 )' and tne inequality follows from 
Y + and Y~ being mutually independent. 

We analyze the behavior of Y + and Y~ . Let "0" stand for either "+" or "— ". The distribution 
of y is known as x? , where k + = f 2 \A\ and fe _ = f 2D — 2 \ A\; its density function is 



def 



ip Q (x) 



cxp 



(-1) 



„fc /2-l 



2 fc0 / 2 r(fc©/2) 

(cf. IUKB94P . One can see that E [Y & ] = k & and E \(Y & ) 2 ] = k &2 +2k @ (thus, Var [Y & ] = 2k & ). 



For 7® = 5k Q log(k & ) + 20, let Y% be distributed as Y & modulo Y & < 7® The density 



function of Y® Q is 



a^ei^(x) if x < 7 fc 



o 



for a 7 © 



and 



where 



def 



1/Pr [y© < 7 ]. Then 



k Q > E 



1" 







<Xy0 







fc® 



else 



anl>°(x)dx ) > fc -C° 



E 



y? 



o 



a 7 © ( /c° 2 + 2fc® 



x 2 ^°(2;) cte ) >k & " + 2k & - C e 



o 2 



.0 A0 



( = sV>(a;)ds< 



2^4®/2) L exp (-f ) ^ 



(6) 
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(the inequality follows from x 2 ■ exp(— x/2). 



„fc /2-l 



7 ). In particular, C° < 1 and Var \Y®] > 2k & - C° > k & and 



< exp(— x/4), as guaranteed by our choice of 



Denote: 



Then 



which implies 



E 



(7) def _ 

lP = E 

f7) def _ 

/i° = E 

def _ 

A*_ = E 



> Var 



y 



/ 7 ® > A:°/ 7 G 







y0 
- f 7 © 



y 



^ > ^ 



y® <r n & 



A° Q ^ E 
g®^Pr 



,0 <te? 



Pr 



y < (7® 



<7 (nt-» & )+q® (/i -/i?)=A®, 
g® + g® = l, 



g? (m? - ^ ) = £ (^ " M ) = A /2. 
Clearly, < Y% < 7° implies that 

qf/3 



Pr 



> 



1 



o 



and Pr 



yf <a£+£ 



> 



g®£ 

^0 



for every j3 > 0. Choosing /3 = (/it — /t + )/2 gives 



(7) 



(8) 



Pr 



y + + > (m + +/4)/ 2 



> 



g+ (/4 - /i n 
27+ 



4 7 H 



and similarly, via /3 = (/i — /i_)/2 one obtains 



Pr 



y+ < (/i- + /ii)/2 



> 



47- 



On the other hand, © implies that /it — /i + > A + /2 and /i — /i_ > A /2. Therefore, from 



©: 

Pr 

and similarly, 



yt > k + - c + + 



27+ 



> Pr 



y+ >/ i + + A+/2 



A+ k+ 
> > 



47+ 47- 



2 • 



Pr 



y~ < k- 



27- 



> 



47- 



From © it is obvious that ( + < ^4p, and therefore, by the definition of Y + , 



Pr 



y + > 2 1^| + 



4 7 H 



> Pr 



1 



Y+ > k + + 
7+ - 4 7 



> 



k+ 



47- 



_2 ' 
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By the definition of Y _ and the obvious fact that Pr [Y < 7 ] > 1/2, 



Pr 



Y~ < 2D -2\A\ 



27- 



> Pr [Y~ < Y 



Pr 



YZ < k- 
7 — 



k' 



2 7 - 



> 



87 



.2 ■ 



Observe that > 51g(logD) . 



and 



> 



1 



implies 



as required. 



Pr 



£l»f>W + 



llDlogD 
1 

D ' 88L> 2 log I? 



for large enough D. Together with © this 
1 



> 



83232 -D 2 (log DY 



Denote by U\, as the uniform distribution of orthonormal bases of C D (i.e., the Haar measure). For 
p G Den[D], we will write Pv~u bas {p) to denote the distribution of the outcome of Pv{p) when 
V ~ ^/bas- We will implicitly identify an outcome of Pv~u bss (p) with the corresponding unit vector 



•<D 



We need yet another "anti-concentration" statement, this time to say that the outcomes of i"V~« bas (p) 
cannot be too concentrated for any fixed p: 

Lemma 4.3. Let B be a subset of unit vectors in C D , such that UP(B) > e. Then for any p E 
Den[D], 

e 4 

Pr [veB}> . 

v~P v ~u bas (p) 256 

Intuitively, by choosing p adversarially one can selectively "hide" some unit vectors in C D from 
-FV~« bas (/9). However, only those v's are hidden well that are almost orthogonal to all spectral com- 
ponents of p, and that cannot happen to too many v's simultaneously; in particular, if B is sufficiently 
large then it is impossible to efficiently avoid all its elements. 

Proof. Observe that the distribution is the same as Py^u h ^{l£)/D), and its density function is 
constant on the support (unit vectors in C D ) - denote it by <j)Q. Then by linearity, for any p the density 
function of Pv~u bas (p) is 

4> P {v) = 4> -D- {v\p\v) . 



For 5 = e 3 /64, let us bound from above the value of 



Pr 

v~U[> 



,(v) <5-M =Pr[{v\p\v) <5/D}. 
up 



(9) 



The expectation of (v\p\v) is 1/D, and therefore the value is maximized when p has rank one (if p 
is a mixture that makes the value of {v\p\v} more concentrated). On the other hand, for every fixed 
uq and v ~ U±, the distribution of |(tto|f)| only depends on \uq\ (and not on the "direction" of uq). 
Therefore, in order to bound ©, we can assume w.l.g. that p = |uoX^o|> where no = (1, 0, ... , 0). 
That is, 

Pr [<f> p (v) < 5 ■ M < Pr [l^l < ^6/D\ , 
v~Uf> UP L -I 

where v 1 is the first coordinate of v. 
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By Claim |4~T1 we have: 



Pr 

v~uP 



*| < y/S/D = Pr l^l/IMI < y/5/D < Pr | tx 1 | < 



+ Pr 



„2 4D 
kt > — 



We know that ||ii|| 2 ~ x|d> an ^ therefore its expectation is 2D and Pr ||u|| 2 > AD/e < e/2 



< 



by Markov inequality. We also know that ^(u 1 ) ~ -/V(0, 1), and therefore Pr \u 1 \ < 
= e/4. We conclude that Pr„^D [0 p (u ) < 5 ■ <p ] < 3e/4. 
Let B' = {?;G-B| p (u) > 5 • (fio}, then it necessarily holds that U^{B') > e/4. By the defini- 



tion of B', 



and the result follows. 



Pr ( A^B']>6.UF(B')> 6 ^ = ^- 



The next lemma will be the core of our optimality argument. 
Lemma 4.4. Let 01,02, p 6 Den[D], satisfying ||e>"i — 02II1 = S > 0. Then for some £ G 

^(z^logl))' 

Pr [<u|<7i|u> > (l + ^H^M € fi((Z?log£>)- 20 ). 

Proof. To prove the statement, we will first consider the simpler case when v ~ U®, then see what 
happens when v ~ Pv~u bas (p)- 
Let cr' == <7i — o"2, then 

Pr [(u|o-i|u) > (1 + (v\a 2 \v)} = Pr [(u|<t'|v) > £ (v\a 2 \v)] > Pr [(u|<x'|u) > £] • 

V~UP 



Let cr' = 53£=i e « l M iX n «l t> e a spectral decomposition, A + = f {i | ej > 0} and A = {i | ej < 0}, 
then for every £ 



def 



Pr [(vIct'Iv) > £l = Pr 



Pr 



|(uj|v)| 2 > i 



^2 ei |(ni|-i;)| 2 > £ + ^2 -ei \(ui\v}\' 
ieA+ i<=A~ 



(10) 



> Pr 



V ei\(ui\v)\ 2 > £ + E 
v~UP 



e i\( U i\ V )f 

i£A+ 



where the inequality follows from ^ a = and the fact that the random values Xm+ e * I { u i\ v )\ 2 an ^ 
J2a- ~ e i \ ( u i\ v )\ 2 are anti-correlated when v ~ Uf. 

Observe that Yl \ e i\ = ^> an d so e « = V^- As E?; |(u|u)| 2 = 1/D for any unit vector u 
and the right-hand side of ( fTOb is symmetric w.r.t. any unitary rotation of the vectors 



Pr K^k'h) > Cl > Pr 



El -f 1 2 . j. 
ei-f >£H 
I 1 - s 2D 



i£A+ 



(11) 
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From LemmaEOl for some r/i G ^(g^To) and V2 G ^( i^og. £>)^ 



Pr 



v~~>. I j |2 \A+\ 



> r/ 2 . 



By the linearity of expectation, 



E 



E e * • 1^ 



2^ \v % \ > L - F r 1 + m 



ieA+ 



D 



> 5 \A + \ + r]iD 5 5r]i 
~ 2D L4+I ~2D + 2D' 



Therefore, for some £ G n ( D3 / og£ , ) and r] 3 G ( (Dlo g D) 5 1 , 



Pr 

v~UP 



2L> 



Pr 

v~UP 



E, -,2 . 5 <5r7i 



2L> 4L> 



> Pr 



Ei » 1 2 ^ \A~ , 



i£A+ 



> ~ = fa- 



4L> 



E e * 



21? 



From O, PVttf > C] > fa- 

Applying Lemma 1431 to the set {v G C D | > £, = l}, we conclude that 

Pr UvWlv) >e] >Ml e nf 7 — t^tt 



and the result follows. 



4.2 Optimality statement 

The following theorem concludes our optimality argument. 

Theorem 4.5. Let = {4>{x) | x G {0, l} n } C Den[D] be a quantum fingerprinting scheme that 
guarantees error below 1/2 — Q(l). Then fea&s f2(.D~ ) bits of information. 

The theorem implies that any quantum fingerprinting scheme that leaks £ bits about x requires 
fi(log(l/£)) qubits, and therefore our mixed-state construction of Section [331 (cf. Theorem 13. 131 ) is 
optimal. Note that while our constructions of fingerprinting schemes guarantee one-sided error, the 
above theorem remains valid also for schemes with two-sided error. Moreover, Theorem 14.51 theorem 
still holds for schemes that only work on average under the balanced uniform input distribution. 

Proof. We will show that for any a measurement Py chosen at random w.r.t. V ~ ZYb as is likely 
to have the following property: The outcome of P(4>(X)) has mutual information fl(D~ ) with the 
random variable X ~ W|o,i} n - 

Assume X = xq. Let p == E x . g {o,i}™ I^K^)]- Call a unit vector v G C D XQ-e-good if {v\4>{x<f)\v) > 
(1 + e) (v\p\v), where e > 0. 
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The error guarantee of the theorem implies that ||<^(xn) ~ P\\i e ^(1) ( as l° n § as ra > 0), and 
therefore by Lemma l4~4l 

Pr [t; is xo-C-good] £ ft((L> log D)" 20 ) (12) 

o~iV~w ba >) 

for some £ £ ft(l/D 3 logL>). 

For any unit vector u £ C- , let ^ be the set of all x's, such that u is x-£-good. Let 

Po = Pr [XGA V ] and Pl ^ Pr [X G A v ]. 

A ~"{0,l} n A ~"{0,1}" 

By the definition of xo-e-good we know that p\ > (1 + £) ■ po- 

Note that pi is the "actual" probability of certain event (namely, X £ A v ), and p is what that 
probability would have been if the outcome of Pv^n bas ((f)(X)) did not depend on X. Based on the 
inequality between the two probabilities, we want to show that the outcome of the measurement is 
well-correlated with the value of X. For that we use a lower bound on po, as guaranteed by (fT2l . 

Now assume that the underlying distributions are X ~ Z/ro,i} n and v ~ i-V^/ bas (<^>(X)). 

H [X\v] < - Pl ■ log 2 U~ n ■ - (1- Pl ) • log 2 (V" • ^— ^ , 
1 V PoJ \ 1-PoJ 

as follows from the fact that the maximum entropy of a discrete distribution over a domain of given 
size is attained when the distribution is uniform (so, in the right-hand side we consider the situation 
when X is uniform both modulo "X £ A v " and modulo "X £" A v "). Then 

n[X\v] <n- Pl \og 2 (^) -(l-pi)log 2 (l^) =n-d KL (D \\D 1 ), 

\PoJ V 1 -PoJ 

where Di is the distribution over {0, 1} that assigns weight p,i to the outcome "0". By the Pinsker's 
inequality, 

1 1 2 

d KL (DoWDt) > l|D °~ jPl111 = 2(p! -po) 2 > 2(& ) 2 £ n{D~ A7 ), 

and therefore 

H[X]-H[X\v] en(D~ 47 ). 
Since v is the outcome of a measurement performed on a fingerprint of X, the result follows. ■ 
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A Proof of Lemma 



2.6 



Let us repeat the lemma: 



Lemma\2.6c For every < e < 2, there exists an e-netfor the set of pure states in C D with respect to 
the trace distance whose size is at most e) 2 ( d ~ 1 \ 

To prove the lemma we use the following lemma that has been stated in [JRW94], where it was 



attributed to |Syk74|. 



Lemma A.l. ( IURW94ID Let {\e±) , . . . , |e£>)} be an orthonormal basis of C D . Let \u) G C D 
be a random unit vector chosen according to the unitarily invariant probability distribution on the 



unit sphere in 



Let X; = |(ej|n)| for i = 1, . . . ,D. Then, the range of the D -tuple X 



(Xi, . . . , Xd) is equal to the probability simplex 
Afl-i = { (xi, ■ ■ ■ ,x D ) 



d 

: 

i=l 



1, Xi > (Vi) 



and the probability distribution of X is uniform on 



Corollary A.2. Let \ w) G C be a fixed unit vector. Choose a unit vector \u) £ C randomly as in 
Lemma\Al\ Then Pr \{u\w}\ 2 > x = (1 - x) ' 1 for < x < 1. 

Proof of Lemma \2.6\ The lemma can be proved by the packing argument in the same way as Lemma II.4 
of MHLSW041 and Lemma 4 of ||BHL + 05l . The difference is that we apply the packing argument di- 
rectly on the set of pure states by using Corollary IA.21 instead of applying the packing argument on 
the Euclidean space M. 2D as an intermediate step. 

Let M be a maximal subset of {\v) G C D : \\v\\ = 1} such that every pair of distinct vec- 
tors \u) , \v) G M satisfy |||tiX^| — kX^llli ^ £ - tne maximality of M, M is an e-net for the 
set of pure states in C D with respect to the trace distance. For each \u) G M, consider the open 
ball B e/2 (\u}) = {\w) G C D : \\w\\ = 1 A |||uX«| - |«0Mlli < e / 2 i- First fix \u) G M. Then, if 
we pick a unit vector \x) uniformly at random, we have 



Pr [\x) G B £/2 (\u) 



Pr 
Pr 



|nXu| — |xX^||| < - 



{u\x)\ 2 > 1 



e\ 2 
1 



e\ 2(r>-i) 
4> 



by Corollary IA.2I By the condition of M, the \M\ open balls B £ / 2 (\u}) (\u) G M) are disjoint. 
Therefore, 



1 > Pr 



z£ (J B e/2 (\u)) 

\u)£M 



^ Pr[|x) G B e/2 (\u))] = \M\ 
\u)eM 



£\2(D-1) 
1j 



which implies \M\ < (4/e) 



2(D-1) 



*Lemma\2.6\ 
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